feat(platform): harden access scoping and delivery baseline
This commit is contained in:
@@ -23,6 +23,167 @@ type EntitlementSnapshot = {
|
||||
pendingDays: number;
|
||||
};
|
||||
|
||||
function mapBalanceDetail(resource: {
|
||||
displayName: string;
|
||||
eid: string;
|
||||
}, balance: {
|
||||
year: number;
|
||||
entitledDays: number;
|
||||
carryoverDays: number;
|
||||
usedDays: number;
|
||||
pendingDays: number;
|
||||
remainingDays: number;
|
||||
sickDays: number;
|
||||
}) {
|
||||
return {
|
||||
resource: resource.displayName,
|
||||
eid: resource.eid,
|
||||
year: balance.year,
|
||||
entitlement: balance.entitledDays,
|
||||
carryOver: balance.carryoverDays,
|
||||
taken: balance.usedDays,
|
||||
pending: balance.pendingDays,
|
||||
remaining: balance.remainingDays,
|
||||
sickDays: balance.sickDays,
|
||||
};
|
||||
}
|
||||
|
||||
function mapYearSummaryDetail(
|
||||
year: number,
|
||||
summaries: Array<{
|
||||
displayName: string;
|
||||
eid: string;
|
||||
chapter: string | null;
|
||||
entitledDays: number;
|
||||
carryoverDays: number;
|
||||
usedDays: number;
|
||||
pendingDays: number;
|
||||
remainingDays: number;
|
||||
}>,
|
||||
resourceName?: string,
|
||||
) {
|
||||
const needle = resourceName?.toLowerCase();
|
||||
|
||||
return summaries
|
||||
.filter((summary) => {
|
||||
if (!needle) {
|
||||
return true;
|
||||
}
|
||||
return summary.displayName.toLowerCase().includes(needle)
|
||||
|| summary.eid.toLowerCase().includes(needle);
|
||||
})
|
||||
.slice(0, 50)
|
||||
.map((summary) => ({
|
||||
resource: summary.displayName,
|
||||
eid: summary.eid,
|
||||
chapter: summary.chapter ?? null,
|
||||
year,
|
||||
entitled: summary.entitledDays,
|
||||
carryover: summary.carryoverDays,
|
||||
used: summary.usedDays,
|
||||
pending: summary.pendingDays,
|
||||
remaining: summary.remainingDays,
|
||||
}));
|
||||
}
|
||||
|
||||
type EntitlementReadContext = Parameters<Parameters<typeof protectedProcedure["query"]>[0]>[0]["ctx"];
|
||||
|
||||
async function readBalanceSnapshot(
|
||||
ctx: Pick<EntitlementReadContext, "db" | "dbUser">,
|
||||
input: { resourceId: string; year: number },
|
||||
) {
|
||||
if (ctx.dbUser) {
|
||||
const allowedRoles = ["ADMIN", "MANAGER", "CONTROLLER"];
|
||||
if (!allowedRoles.includes(ctx.dbUser.systemRole)) {
|
||||
const resource = await ctx.db.resource.findUnique({
|
||||
where: { id: input.resourceId },
|
||||
select: { userId: true },
|
||||
});
|
||||
if (!resource || resource.userId !== ctx.dbUser.id) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "You can only view your own vacation balance",
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const settings = await ctx.db.systemSettings.findUnique({ where: { id: "singleton" } });
|
||||
const defaultDays = settings?.vacationDefaultDays ?? 28;
|
||||
const entitlement = await syncEntitlement(ctx.db, input.resourceId, input.year, defaultDays);
|
||||
|
||||
const sickVacationsResult = await ctx.db.vacation.findMany({
|
||||
where: {
|
||||
resourceId: input.resourceId,
|
||||
type: VacationType.SICK,
|
||||
status: VacationStatus.APPROVED,
|
||||
startDate: { lte: new Date(`${input.year}-12-31T00:00:00.000Z`) },
|
||||
endDate: { gte: new Date(`${input.year}-01-01T00:00:00.000Z`) },
|
||||
},
|
||||
select: { startDate: true, endDate: true, isHalfDay: true },
|
||||
});
|
||||
const sickVacations = Array.isArray(sickVacationsResult) ? sickVacationsResult : [];
|
||||
const sickDays = sickVacations.reduce(
|
||||
(sum, vacation) => sum + countCalendarDaysInPeriod(
|
||||
vacation,
|
||||
new Date(`${input.year}-01-01T00:00:00.000Z`),
|
||||
new Date(`${input.year}-12-31T00:00:00.000Z`),
|
||||
),
|
||||
0,
|
||||
);
|
||||
|
||||
return {
|
||||
year: input.year,
|
||||
resourceId: input.resourceId,
|
||||
entitledDays: entitlement.entitledDays,
|
||||
carryoverDays: entitlement.carryoverDays,
|
||||
usedDays: entitlement.usedDays,
|
||||
pendingDays: entitlement.pendingDays,
|
||||
remainingDays: Math.max(
|
||||
0,
|
||||
entitlement.entitledDays - entitlement.usedDays - entitlement.pendingDays,
|
||||
),
|
||||
sickDays,
|
||||
};
|
||||
}
|
||||
|
||||
async function readYearSummarySnapshot(
|
||||
ctx: Pick<EntitlementReadContext, "db">,
|
||||
input: { year: number; chapter?: string },
|
||||
) {
|
||||
const settings = await ctx.db.systemSettings.findUnique({ where: { id: "singleton" } });
|
||||
const defaultDays = settings?.vacationDefaultDays ?? 28;
|
||||
|
||||
const resources = await ctx.db.resource.findMany({
|
||||
where: {
|
||||
isActive: true,
|
||||
...(input.chapter ? { chapter: input.chapter } : {}),
|
||||
},
|
||||
select: { ...RESOURCE_BRIEF_SELECT, chapter: true },
|
||||
orderBy: [{ chapter: "asc" }, { displayName: "asc" }],
|
||||
});
|
||||
|
||||
return Promise.all(
|
||||
resources.map(async (resource) => {
|
||||
const entitlement = await syncEntitlement(ctx.db, resource.id, input.year, defaultDays);
|
||||
return {
|
||||
resourceId: resource.id,
|
||||
displayName: resource.displayName,
|
||||
eid: resource.eid,
|
||||
chapter: resource.chapter,
|
||||
entitledDays: entitlement.entitledDays,
|
||||
carryoverDays: entitlement.carryoverDays,
|
||||
usedDays: entitlement.usedDays,
|
||||
pendingDays: entitlement.pendingDays,
|
||||
remainingDays: Math.max(
|
||||
0,
|
||||
entitlement.entitledDays - entitlement.usedDays - entitlement.pendingDays,
|
||||
),
|
||||
};
|
||||
}),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get or create an entitlement record, applying carryover from previous year if needed.
|
||||
*/
|
||||
@@ -163,6 +324,15 @@ export const entitlementRouter = createTRPCRouter({
|
||||
* Creates the entitlement record if it doesn't exist (with carryover).
|
||||
*/
|
||||
getBalance: protectedProcedure
|
||||
.input(
|
||||
z.object({
|
||||
resourceId: z.string(),
|
||||
year: z.number().int().min(2000).max(2100).default(new Date().getFullYear()),
|
||||
}),
|
||||
)
|
||||
.query(async ({ ctx, input }) => readBalanceSnapshot(ctx, input)),
|
||||
|
||||
getBalanceDetail: protectedProcedure
|
||||
.input(
|
||||
z.object({
|
||||
resourceId: z.string(),
|
||||
@@ -170,63 +340,20 @@ export const entitlementRouter = createTRPCRouter({
|
||||
}),
|
||||
)
|
||||
.query(async ({ ctx, input }) => {
|
||||
// Ownership check: USER can only query their own balance
|
||||
if (ctx.dbUser) {
|
||||
const allowedRoles = ["ADMIN", "MANAGER", "CONTROLLER"];
|
||||
if (!allowedRoles.includes(ctx.dbUser.systemRole)) {
|
||||
const resource = await ctx.db.resource.findUnique({
|
||||
where: { id: input.resourceId },
|
||||
select: { userId: true },
|
||||
});
|
||||
if (!resource || resource.userId !== ctx.dbUser.id) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "You can only view your own vacation balance",
|
||||
});
|
||||
}
|
||||
}
|
||||
const balance = await readBalanceSnapshot(ctx, input);
|
||||
const resource = await ctx.db.resource.findUnique({
|
||||
where: { id: input.resourceId },
|
||||
select: { displayName: true, eid: true },
|
||||
});
|
||||
|
||||
if (!resource) {
|
||||
throw new TRPCError({
|
||||
code: "NOT_FOUND",
|
||||
message: "Resource not found",
|
||||
});
|
||||
}
|
||||
|
||||
const settings = await ctx.db.systemSettings.findUnique({ where: { id: "singleton" } });
|
||||
const defaultDays = settings?.vacationDefaultDays ?? 28;
|
||||
|
||||
// Sync from real vacation records
|
||||
const entitlement = await syncEntitlement(ctx.db, input.resourceId, input.year, defaultDays);
|
||||
|
||||
// Also count sick days (informational)
|
||||
const sickVacationsResult = await ctx.db.vacation.findMany({
|
||||
where: {
|
||||
resourceId: input.resourceId,
|
||||
type: VacationType.SICK,
|
||||
status: VacationStatus.APPROVED,
|
||||
startDate: { lte: new Date(`${input.year}-12-31T00:00:00.000Z`) },
|
||||
endDate: { gte: new Date(`${input.year}-01-01T00:00:00.000Z`) },
|
||||
},
|
||||
select: { startDate: true, endDate: true, isHalfDay: true },
|
||||
});
|
||||
const sickVacations = Array.isArray(sickVacationsResult) ? sickVacationsResult : [];
|
||||
const sickDays = sickVacations.reduce(
|
||||
(sum, v) => sum + countCalendarDaysInPeriod(
|
||||
v,
|
||||
new Date(`${input.year}-01-01T00:00:00.000Z`),
|
||||
new Date(`${input.year}-12-31T00:00:00.000Z`),
|
||||
),
|
||||
0,
|
||||
);
|
||||
|
||||
return {
|
||||
year: input.year,
|
||||
resourceId: input.resourceId,
|
||||
entitledDays: entitlement.entitledDays,
|
||||
carryoverDays: entitlement.carryoverDays,
|
||||
usedDays: entitlement.usedDays,
|
||||
pendingDays: entitlement.pendingDays,
|
||||
remainingDays: Math.max(
|
||||
0,
|
||||
entitlement.entitledDays - entitlement.usedDays - entitlement.pendingDays,
|
||||
),
|
||||
sickDays,
|
||||
};
|
||||
return mapBalanceDetail(resource, balance);
|
||||
}),
|
||||
|
||||
/**
|
||||
@@ -366,39 +493,25 @@ export const entitlementRouter = createTRPCRouter({
|
||||
chapter: z.string().optional(),
|
||||
}),
|
||||
)
|
||||
.query(async ({ ctx, input }) => {
|
||||
const settings = await ctx.db.systemSettings.findUnique({ where: { id: "singleton" } });
|
||||
const defaultDays = settings?.vacationDefaultDays ?? 28;
|
||||
.query(async ({ ctx, input }) => readYearSummarySnapshot(ctx, {
|
||||
year: input.year,
|
||||
...(input.chapter ? { chapter: input.chapter } : {}),
|
||||
})),
|
||||
|
||||
const resources = await ctx.db.resource.findMany({
|
||||
where: {
|
||||
isActive: true,
|
||||
...(input.chapter ? { chapter: input.chapter } : {}),
|
||||
},
|
||||
select: { ...RESOURCE_BRIEF_SELECT, chapter: true },
|
||||
orderBy: [{ chapter: "asc" }, { displayName: "asc" }],
|
||||
getYearSummaryDetail: managerProcedure
|
||||
.input(
|
||||
z.object({
|
||||
year: z.number().int().min(2000).max(2100).default(new Date().getFullYear()),
|
||||
chapter: z.string().optional(),
|
||||
resourceName: z.string().optional(),
|
||||
}),
|
||||
)
|
||||
.query(async ({ ctx, input }) => {
|
||||
const summaries = await readYearSummarySnapshot(ctx, {
|
||||
year: input.year,
|
||||
...(input.chapter ? { chapter: input.chapter } : {}),
|
||||
});
|
||||
|
||||
const results = await Promise.all(
|
||||
resources.map(async (r) => {
|
||||
const entitlement = await syncEntitlement(ctx.db, r.id, input.year, defaultDays);
|
||||
return {
|
||||
resourceId: r.id,
|
||||
displayName: r.displayName,
|
||||
eid: r.eid,
|
||||
chapter: r.chapter,
|
||||
entitledDays: entitlement.entitledDays,
|
||||
carryoverDays: entitlement.carryoverDays,
|
||||
usedDays: entitlement.usedDays,
|
||||
pendingDays: entitlement.pendingDays,
|
||||
remainingDays: Math.max(
|
||||
0,
|
||||
entitlement.entitledDays - entitlement.usedDays - entitlement.pendingDays,
|
||||
),
|
||||
};
|
||||
}),
|
||||
);
|
||||
|
||||
return results;
|
||||
return mapYearSummaryDetail(input.year, summaries, input.resourceName);
|
||||
}),
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user